Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:
- known_issue_100

Regression:
No
Severity:
None
Epic Link:
SELINUX-3594

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Building a disk image with livemedia-creator produces the following avc denials (likely limited to ppc64le and aarch64, untested on s390x, not seen on x86_64):

aarch64:

time->Fri Sep 13 12:46:11 2024
type=PROCTITLE msg=audit(1726245971.221:731): proctitle=67726F7570616464002D66002D6700313134002D7200706F6C6B697464
type=SYSCALL msg=audit(1726245971.221:731): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaaabd570680 a2=88902 a3=0 items=0 ppid=8258 pid=8260 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726245971.221:731): avc:  denied  { write } for  pid=8260 comm="groupadd" name="group" dev="dm-5" ino=21649 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Fri Sep 13 12:46:35 2024
type=PROCTITLE msg=audit(1726245995.031:735): proctitle=67726F7570616464002D720073737364
type=SYSCALL msg=audit(1726245995.031:735): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaaab5140680 a2=88902 a3=0 items=0 ppid=8358 pid=8360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726245995.031:735): avc:  denied  { write } for  pid=8360 comm="groupadd" name="group" dev="dm-5" ino=21649 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

ppc64le:

time->Fri Sep 13 13:09:37 2024
type=PROCTITLE msg=audit(1726247377.094:698): proctitle=67726F7570616464002D66002D6700313134002D7200706F6C6B697464
type=SYSCALL msg=audit(1726247377.094:698): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=1159a0680 a2=88902 a3=0 items=0 ppid=7463 pid=7465 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726247377.094:698): avc:  denied  { write } for  pid=7465 comm="groupadd" name="group" dev="dm-5" ino=23082 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Fri Sep 13 13:09:56 2024
type=PROCTITLE msg=audit(1726247396.773:702): proctitle=67726F7570616464002D720073737364
type=SYSCALL msg=audit(1726247396.773:702): arch=c0000015 syscall=286 success=no exit=-13 a0=ffffffffffffff9c a1=135160680 a2=88902 a3=0 items=0 ppid=7557 pid=7559 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1726247396.773:702): avc:  denied  { write } for  pid=7559 comm="groupadd" name="group" dev="dm-5" ino=23082 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

Observed on RHEL-10.0-20240901.1 with selinux-policy-40.13.9-1.el10.noarch, lorax-40.5.6-1.el10.s390x, anaconda-40.22.3.12-1.el10.s390x.

Steps to reproduce:

Install lorax package, download a RHEL-10 boot.iso, prepare a kickstart file for livemedia-creator (you can use the attached one).
Try to create a disk image using livemedia-creator:
livemedia-creator --make-disk --no-virt --iso boot.iso --ks ks.cfg --nomacboot

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

aarch64-avc.log
2024/09/16 3:14 PM
2 kB
Jiri Kortus
aarch64-enforcing.log
2024/09/25 11:07 AM
36 kB
Milos Malik
aarch64-permissive.log
2024/09/25 11:07 AM
23 kB
Milos Malik
ppc64-avc.log
2024/09/16 3:15 PM
2 kB
Jiri Kortus
ppc64le-enforcing.log
2024/09/25 11:53 AM
36 kB
Milos Malik
ppc64le-permissive.log
2024/09/25 1:47 PM
22 kB
Milos Malik

Assignee:: Zdenek Pytela

Reporter:: Jiri Kortus

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/09/16 2:51 PM

Updated:: 2024/10/23 2:58 PM

Details

Description

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates